CVE-2026-3244

Medium CVSS: 4.8

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting

Vendor

Concretecms

Product

Concrete Cms

CWE

CWE-79

Yayın Tarihi

2026-03-04 02:15:54

Güncelleme

2026-03-04 21:37:24

Source Identifier

ff5b8ace-8b95-4078-9743-eac1ca5451de

KEV Date Added

Kategoriler

CWE-79 Concrete Cms MEDIUM Concretecms 2026

Referanslar

https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes https://github.com/concretecms/concretecms/pull/12826

Benzer Kayıtlar

Medium

CVE-2026-30662

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method…

Medium

CVE-2026-3241

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block…

Medium

CVE-2026-3242

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concre…

Low

CVE-2026-2994

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configu…

Medium

CVE-2026-3240

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored…

High

CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express…